[Fedora-directory-users] Update user passwords with "passwd"

Tim Hartmann hartmann at fas.harvard.edu
Mon Jan 26 15:53:28 UTC 2009 

Well, I made some progress on this!

In part it turns out that I had my ACI's set to tightly in my "enable
self write for common attributes" ACI. So once I made some changes to
that ACI I was able to update my user password so long as the client
server was pointing at  one of the Masters in /etc/ldap.conf and
/etc/openldap.conf however, once I pointed those conf files back to my
LDAP Replica's, I was back to getting the same errors!

One small step closer to LDAP bliss!

Tim




Tim Hartmann wrote:
> Could be, but the test server I'm using has a copy of the pam configs
> from a production server, that works fine in our OpenLDAP environment,
> I'm in the process of testing our new Directories Server in order to
> replace the old servers...  So same OS, and the same config files...
> which is part of why I'm stumped!  It's maddening being so close to the
> end of this project! :)
>
> Best
>
> Tim
>
>
>
> John A. Sullivan III wrote:
>   
>> On Fri, 2009-01-23 at 20:11 -0500, Tim Hartmann wrote:
>>   
>>     
>>> Hi!
>>>
>>> So I can into yet another pot-hole in the road to LDAP bliss... 
>>>
>>> We have a root suffix in our directory that stores the basic Posix
>>> attributes including password,  I've been able to configure my client to
>>> use ldap for directory services, and authenticate against my replica's,
>>> so far so good! Then I tried to change my users password .. and thats
>>> where I started getting a bit hung up..
>>>
>>> At first I thought that it was because my replicas weren't sending the
>>> update request/ referrals back to the masters. (We have two masters that
>>> sit behind four consumers)
>>>
>>> Then I decided to change my ldap.conf files to point directly to my
>>> masters.... but I still receaved the same errors "Can't contact LDAP
>>> Server" , which was strange since I can do ldap searches against it all
>>> day, and even bind to the servers to do searches! and Insufficient write
>>> privileges, which made me think that maybe it was an ACI.. but I have
>>> selfwrite enabled for the userPassword attribute...
>>>
>>> Here's the output of my failed attempt to change my user's password
>>> after logging in successfully to the server..
>>>
>>> Changing password for user foo.
>>> Enter login(LDAP) password:
>>> New UNIX password:
>>> Retype new UNIX password:
>>> LDAP password information update failed: Can't contact LDAP server
>>> Insufficient 'write' privilege to the 'userPassword' attribute of entry
>>> 'uid=foo,ou=people,dc=dept,dc=school,dc=edu'.
>>>
>>> passwd: Permission denied
>>>
>>>
>>> If anyone has any thought I'd be grateful! I'm pretty perplexed!
>>>     
>>>       
>> <snip>
>> I'm an LDAP ignoramus so take this for what it's worth -- is it possible
>> it's a PAM configuration problem and not an LDAP or ldap.conf problem? -
>> John
>>   
>>     
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

More information about the 389-users mailing list